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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


K No 


Q2 If not, please specify where improvements could be made. 


Whilst the document is 105 pages in length, a significant amount 
of this is high level information that would not be of significant 
benefit to individuals who are already aware of/working with the 
GDPR/DPA 2018 


Page 39-40 - There is no guidance on when it would be 


appropriate to share data on the basis of the substantial public 
interest conditions in Part 2 of Schedule 1 of the DPA, in particular 
under Paragraph 6 which requires processing to be “necessary” 
for a statutory function, and “necessary for reasons of substantial 
public interest” and in accordance with an “appropriate policy 
document”. Also, there is no guidance how an appropriate policy 
document should properly address data sharing. 
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Q3 Does the draft code cover the right issues about data sharing? 
[|] Yes 


K No 


Q4 If no, what other issues would you like to be covered in it? 


e International transfers - Whilst we appreciate that guidance on 
this matter may change depending on how Brexit may progress, 
the CoP currently offers no specific detail on transfers outside of 
the EEA and instead refers the reader to the ICO website. In our 
view this element should be contained with the CoP (e.g. detail of 
appropriate safeguards and how these specifically relate to 
controller to controller sharing). 

e The CoP takes a very high level approach with regard to the 
potential lawful bases under which sharing could be considered. 
Whilst these bases are listed, there are no specific details, for 
example, of scenarios where it may be appropriate (or 
inappropriate) to share data with another controller via contract, 
or via legitimate interests. Practitioners will most likely be aware 
of the legal obligations under the law in this regard - the code 
Should, rather, consider their practical application. It would be 
helpful to consider each Article 6 lawful basis in turn in this 
respect and provide examples of where sharing would/would not 
be considered appropriate. 


Q5 Does the draft code contain the right level of detail? 
[c Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


Q7 


Q8 
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The CoP needs to include significantly more examples. As of the 
present time, examples heavily revolve around health and social 
care and these should be more varied. Examples should be 
included within the relevant section of the CoP rather than as an 
Annex, so as to enable quick reference. 


In particular, the sections on ‘Sharing personal data in databases 
and lists’ and ‘Data ethics and data trusts’ contain no examples. 
In the case of the former, this would be particularly helpful, as the 
section is only three pages long, and the summary section 
contains, in large part, the same wording as the actual chapter 
itself. It is not particularly helpful ‘the data protection legislation 
allows you to do this as long as you comply with the law’. 


There should also be examples of good and bad practice, and 
these examples should be realistic. For example, p.35 provides an 
example of data sharing between the Police and a local authority 
in respect of a gangs database. It immediately states that ‘the 
council went on to share it inappropriately with a number of 
organisations’, however, merely stating that the sharing was 
inappropriate isn’t of much assistance. The example should 
explain why the sharing was inappropriate in this context 


P. 59 makes reference to public authorities being able to rely on 
implied statutory powers (under public task) and states ‘You can 
rely on this power to share data so long as it is sufficiently 
foreseeable and transparent’. There is no further information, 
however, of when this would be the case (and where it might 
not). Again, we feel this should have specific examples. 


Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation's data sharing practices? 


[| Yes 


K No 


If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 
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e As per Q.6 above, p.85 -Data ethics and trusts could be expanded 
in this regard. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[| Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


e Please see previous responses. We are also of the view that what 
is good practice can be helped considerably by the provision of 
realistic examples of what is bad practice. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 
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Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[| Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


As per our previous response, the examples provided are, in the main, 
very much health focused. There should be a range of different industry 
scenarios and processing conditions. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 

Agree 

Neither agree nor disagree 
L Disagree 

O Strongly disagree 


Q16 Are you answering as: 
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L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


O An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


Leeds City Council 


Thank you for taking the time to share your views and experience. 


